How to disable Hybrid Microsoft Entra ID Join from Entra Connect?

Hello Harry,

After I choose "Customize synchronization options" and go through the Wizard, there is no "Device Options" option anywhere.

Hi Harry, have you had the time to review my above comment?

Hi Shadi,

If you don’t see “Device Options” in the Entra Connect wizard, it means the server was installed without the device write‑back or hybrid join components. In newer builds of Microsoft Entra Connect, the Hybrid Microsoft Entra ID Join setting is exposed only if you selected “Configure device options” during the initial setup. If you skipped that, the wizard won’t show it under “Customize synchronization options.”

To disable Hybrid Join cleanly, you need to re‑run the Entra Connect configuration and specifically choose “Configure device options.” From there you can uncheck Hybrid Microsoft Entra ID Join for Windows 10/11 devices. Once you complete the wizard and allow a sync cycle, new devices will stop registering. If you want to fully remove the capability, you should also delete the Service Connection Point (SCP) in Active Directory. This is located under CN=Services,CN=Configuration,DC=<domain> and can be removed with ADSI Edit or PowerShell (Remove-ADObject), but only after confirming no policies depend on hybrid join.

Existing hybrid‑joined devices will remain registered until you manually unregister them with dsregcmd /leave and reboot. If you don’t want to touch each client, you can leave them as they are; disabling the SCP and device options only prevents new registrations.

So the next step is to re‑run Entra Connect, select “Configure device options,” and remove Hybrid Join there. If that option still doesn’t appear, it means the feature was never fully provisioned, and you should proceed directly to removing the SCP in AD to stop hybrid join attempts.

Hello Harry, I believe you misunderstood what I said. Let me re-iterate.

Take a look at the below two images. If I click on "Configure Device Options" and proceed, it takes me to the next page where I would usually configure the Hybrid join options. As you can see, the option itself is checked, and there's no way to uncheck it in the UI. This is my main issue.

Now, if I go into "Customize Synchronization Options", the "Device Options" option does not exist there. I've also viewed other videos and documentations and "Device Options" does not exist under "Customize Synchronization Options".

It just shows options for syncing/unsyncing certain OUs. See images below:

I hope I get you this time.

Well, the “Configure Device Options” wizard is the only place where Hybrid Microsoft Entra ID Join can be managed. Once enabled, the checkbox appears locked because the configuration is already committed. The “Customize Synchronization Options” wizard does not expose device options, which is why you cannot uncheck Hybrid Join there. To disable it, you must re‑run the Entra Connect setup, go through “Configure Device Options,” and clear the Windows 10/11 device system selection. You should also remove the Service Connection Point (SCP) from Active Directory under CN=Services,CN=Configuration,DC=<domain> if you want to fully stop hybrid join attempts.

Disabling in Connect only prevents new devices from registering; existing hybrid‑joined devices remain until manually unregistered with dsregcmd /leave. The absence of “Device Options” under “Customize Synchronization Options” is by design and not a bug. The supported rollback path is to reconfigure through “Configure Device Options” and clean up the SCP. This ensures no new hybrid joins occur and existing devices can be handled individually.